A few months ago Google officially retired its Soap search Api and put an Ajax search Api instead. The official reason was that it’s moving to a “new generation” Api, however some comments claimed for a conspiracy where Google is trying to push ads into the results or trying to prevent consumers from reordering them. Since Google’s search engine main business is ads it makes sense for them to reduce the number of non-Html Api consumers.

Google Apps however do not rely solely on ads. When organizations pay to get their domains in apps they expect to get some Api for their calendar, documents and etc. With this Api Google chose to be Rest/Atom based.

And I haven’t mentioned yet Google Protocol Buffers – a proprietary an open source serialization format developed by Google.

It seems Google likes to do stuff its own way. In some cases it’s a commercial trick to force its ads on Api users. This is a legitimate move but as long as they insist the real reason is a better “new generation” we can call it a trick. In other cases Google claim their new format is better than existing ones. protobuf is one example. However it’s a shame that every vendor comes up with its own formats. In this particular case, some of the other encodings in the market include Microsoft binary xml encoding and xml fast infoset.

Saturday, January 23, 2010

Sometimes it is useful to look at some of the known xsd schemas. These schemas are the xsd schema itself, the soap schema, the schema of wsdl and much more.If you have VS 2008 installed then check out this folder:

The reason is that the ReSharper runner does not know the "ExpectedException" attribute of NUnit. Who knows, maybe it's just a version thing and some x.y.z version of ReSharper knows how to work with the u.v.w version of NUnit. The lesson is that when you have two clocks you never know what the real time is...

The following gotcha applies when the server is written in a Java framework (e.g. Axis) and the client is in .Net. When we "add service reference" in VS to create the client proxy from the wsdl we may get this error:

Custom tool error: Unable to import WebService/Schema. Unable to import binding 'SomeBinding' from namespace 'http://SomeNamespace'. Unable to import operation 'myOpereration'. These members may not be derived.

In order to understand what this means we need to take a look at some other (valid wsdl):

This means that the EchoString operation accepts a message that looks like that:

<EchoString xmlns="..."> <s>some string</s></EchoString>

We might expect the proxy class to look something like that:

string EchoString(EchoStringRequest req) {...}

class EchoStringRequest{ string s;}

However the real proxy looks like this:

string EchoString(string s) {...}

Why?The reason is that most wsdls use the "document/literal/wrapped" pattern. This means that the first element of the message ("EchoString" here) is just some wrapper that the user does not really care about. What our user cares about is the "s" parameter. So the proxy generated the more useful proxy.

Whenever the name of a part is "parameters" .Net assumed doc/lit/wrapped is used and generates the proxy accordingly. If even though the word "parameters" is used the wsdl is not doc/lit/wrapped (as in the last example) .Net may give us some error. Which error? You guessed correctly: "These members may not be derived". Now we can understand what the error means: .Net tries to omit the root element as it thinks doc/lit/wrapped is used. However this element cannot be removed since it is not dummy - it should be actively chosen by the user out of a few derived types.

FixThe way to fix it is open the wsdl in a text editor and change the part name from "parameters" to "parameters1". Now .Net will know to generate a doc/lit/bare proxy. This means a new wrapper class will appear as the root parameter in the proxy. While this may be a little more tedious api, this will not have any affect on the wire format and the proxy is fully interoperable.

Friday, January 8, 2010

One important attack against web services is a "replay attack": a malicious man-in-the-middle captures a valid message from a client to a server and resends it. This can cause duplicate transactions or denial of service (DOS).

Typically the way to protect here is to have a timestamp on the message and some expiration policy on the server. This is a very simplified description though, here are all the details.

The receiving party can then decide based on some policy how much after the message was created it is suspected as a replay.

But what is this service policy? We can see an "expires" element in the client message itself, then why does the service need an additional policy?

The answer is that there is a duplicate protection against replay attacks. The client can decide its own policy and express it inside the message. The server should respect this policy and also adds its own policy. For example:

Client sends a message in 15:00

Client expiration policy is set to 15:05

Service gets the message in 15:06

Service expiration policy is set to 15:07

In this case the message is considered valid by the service, but the service is expected to respect the client policy and reject the message. the situation gets more interesting when we add real network latency and clocks synchronization into the picture.

In Wcf there are two somehow confusing settings to control the expiration:

LocalServiceSecuritySettings.ReplayWindow - The service expiration policy.

LocalclientSecuritySettings.TimestampValidityDuration - The client expiration policy as expressed in the message itself.

There are various other settings which relate to tolerance for clock differences and I will write a separate post on them some other time.

Wednesday, January 6, 2010

We all love our Fiddler. It is a great Http proxy to use when debugging web services (and html). Fiddler now has a WCF binary encoding message inspector. It allows us to see in clear xml binary messages. This is very usefull especially since binary encoding is the default setting for Silverlight 3 applications.

Recently I had to consume an Axis2 web service using a Wcf client. Axis2 used the rampart module for message security where a mutual X.509 certificate was required. Since I had control over both client and server I was able to fine tune them to reach perfect interoperability.

On the Axis side, I have found the WS-Policy flavor configuration better to work with (interoperability-wise) .

This is the Axis configuration:

and this is the Wcf configuration:

Here is the full Axis2 service (which is based on the rampart SDK sample):

and the wcf client:

You will also need certificates.

Client certificate:

Server Certificate:

If prompt for a password use "adminamdin".

This is the Java key store:

and the password is "adminadmin".

If you want to use your own certificate just make sure the certificates have an SKI.

Saturday, January 2, 2010

I have recently needed to delete 100+ comments from my blogger account. Unfortunately blogger only allows to delete one comment at a time. This is really not helping when I need to delete 100+ comments.

The trick is to use a browser that supports tabs (almost all of them today) and to middle click the basket icon near each comment we want to delete. It will now open in a new tab:

We still need to approve the deletion in that tab, but at least we do not need the extra clicks of returning to the original post and finding the next comment.